Even if you define an IAM role, you still need to associate this with an IAM user, or otherwise get an access key and secret via STS, right? So in the end, the plugin would still be using an access key and secret; they'll just be short-lived — depending on how you called STS — and stop working at some point.